Currently, CORS validation takes place in response filtering, not in request. In consequence, payload is already written even when the validation fails.
So an invalid Origin would trigger a 400 bad request error BUT will still send the response content.
In the case of POST endpoints, the response headers doesn't contain CORS information (Access-Control-xxx). Not sure why - maybe because the response stream is already closed?